2

我试图在Amazon EC2 Linux AMI Server上为我的网站安装Lets Encrypt ssl 证书。

我按照文档中的步骤操作: 教程:在 Amazon Linux 上配置 SSL/TLS https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-ami.html

在 ssh 进入并运行这些命令以生成证书之后

sudo yum install -y mod24_ssl
sudo chmod 600 custom.key
sudo openssl req -new -key custom.key -out csr.pem

亚马逊种类让你停留在第 2 步 => 第 4 阶段。

“将 CSR 提交给 CA。”

在没有推荐任何 CA 的情况下,我决定使用letsencrypt,因为 EC2 Linux 2 的 certbot 通常非常可靠。

然后我得到了这个错误

The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details .

4

1 回答 1

1

提示:要了解您的 Bitnami 堆栈是使用 Apache 还是 NGINX,请检查命令 sudo /opt/bitnami/ctlscript.sh status 的输出。

NGINX:

因此,事实证明 ACMEv1 有一个生命周期结束计划,它是 Lets Encrypts生成证书的原始方法。

在此处阅读文章: https ://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

The original protocol used by Let’s Encrypt for certificate issuance and management is called ACMEv1. In March of 2018 we introduced support for ACMEv2, a newer version of the protocol that matches what was finalized today as RFC 8555 864. We have been encouraging subscribers to move to the ACMEv2 protocol.Today we are announcing an end of life plan for ACMEv1.

这是我安装 certbot-auto 的整个过程。我正在分享我的整个命令列表,因为你可能会发现你和我有同样的问题。取决于您安装了哪些类型的软件包。(这也很棘手,因为亚马逊在 EC2 AMI 上运行他们自己的 Linux 版本)

尝试安装 certbot-auto

wget https://dl.eff.org/certbot-auto

然后我尝试更改权限以使 certbot-auto 工作

sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto

尝试再次安装

wget -N https://dl.eff.org/certbot-auto.asc

由于 AWS Linux 不得不安装 Epel

sudo amazon-linux-extras install epel

然后跑了

sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

然后

sudo yum install certbot-apache

然后试了

sudo yum install mod_ssl python-certbot-apache
chmod +x certbot-auto 
sudo mv certbot-auto /usr/local/bin/certbot-auto

然后运行命令

certbot-auto certonly --standalone -d yourwebsite.com --debug

这是我遇到错误的地方:

要解决我的问题,我必须执行以下步骤:

使用您的 Amazon DNS IP 运行此命令(从 etc/letsencrypt 内部):

sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d ec2-00-000-000-000.eu-west-2.compute.amazonaws.com

DNS IP 如下所示: ec2-00-000-000-000.eu-west-2.compute.amazonaws.com

所以只需用您自己的替换上面的示例(在您的 AWS 控制台中找到 => EC2)

你应该看到这个:

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

我选了3

这是我再次遇到错误的地方:

The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

看到了这个:

Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel):

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:

我将我的域添加为 example.com 和www.example.com

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): example.com , www.example.com

看到这个

Performing the following challenges:
http-01 challenge for example.com

那么这个

PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

所以不得不这样做:

检查你有鬼跑

apachectl -t -D DUMP_VHOSTS

所以查找了我可能拥有的配置

find /etc/httpd -name *.conf

然后用 vim 或 nano 或任何你喜欢的 //VIM编辑你的配置

 vi /etc/httpd/conf/httpd.conf

//纳米

nano /etc/httpd/conf/httpd.conf

将您的虚拟主机复制粘贴到您的配置中(根据您的网站更改 3 个位置)

#Virtual Host added for Letsencrypt
<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName "example.com"
    ServerAlias "example"
RewriteEngine on
RewriteCond %{SERVER_NAME} =example
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

//然后只是:wq保存(如果你在vim中)

再次运行(从 etc/letsencrypt 内部)

sudo ./certbot-auto --debug

**看到这个**

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
- - - - - - - - - - - - - - - - - -

已选择 1...

它奏效了!

希望有帮助

APACHE BITNAMI 应用程序:

https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#alternative-approach

于 2020-06-28T02:45:47.633 回答